Use zuul firewall rules in gate

Till now we've been flusing iptables in the gates to allow cross node
communication in the multi node ceph jobs. This raised security
concerns, in particular it exposed memcached to the external net.

This patch uses the infra provided role 'multi-node-firewall' in order
to correctly configure iptables. Thanks to Jeremy Stanley and Jeffrey
for help with this.

Closes-Bug: #1749326
Change-Id: Iafaf1cf1d9b0227b0f869969d0bd52fbde3791a0
This commit is contained in:
Paul Bourke 2018-03-08 12:55:05 +00:00
parent e66cb5d46b
commit 404d4d0a50
2 changed files with 4 additions and 7 deletions

View File

@ -71,6 +71,8 @@
- ^doc/.* - ^doc/.*
vars: vars:
scenario: aio scenario: aio
roles:
- zuul: openstack-infra/zuul-jobs
- job: - job:
name: kolla-ansible-centos-source name: kolla-ansible-centos-source

View File

@ -29,10 +29,5 @@
hostname: hostname:
name: "{{ inventory_hostname }}" name: "{{ inventory_hostname }}"
become: true become: true
roles:
# TODO(inc0): we're dropping iptables rules but in fact we should create - multi-node-firewall
# linuxbridge-managed tunnels for control and dataplane
- name: Drop iptables rules
command: "iptables -F"
become: true